kerberos, pre_auth, and smartcards

Greg Hudson ghudson at MIT.EDU
Tue Jul 27 16:07:34 EDT 2010


On Tue, 2010-07-27 at 15:33 -0400, Bram Cymet wrote:
> By specifying the X509_user_identity on the command line kinit will ask
> me for the pin of the smart card and log into the smartcard (using
> opensc_pkcs11) but then it will do nothing else with the smartcard.

It is likely something is failing about PKINIT on the client side and
the library is silently moving on to other preauth mechanisms.  In krb5
1.9 we are adding a KRB5_TRACE environment variable which can be used to
help delve into problems like this where something went wrong but there
is no error message, but that doesn't help you yet.

Since you're building from source, you might try rebuilding
src/plugins/preauth/pkinit with CFLAGS="-DDEBUG" and possibly some of
the more specific debug flags as necessary:

DEBUG_ASN1
DEBUG_CERTCHAIN
DEBUG_CKSUM
DEBUG_DH
DEBUG_MECHINFO
DEBUG_SAN_INFO
DEBUG_SIG

> It is my understanding that with pre_auth required pkinit should be used
> and there should be some type of certificate verification correct? This
> does not seem to be going on here. I have not specified a client cert
> and I know it is not getting the cert off the smartcard. Is my
> interpretation of pre_auth required incorrect?

preauth-required doesn't specify which kind of preauth is required.  The
client is proving its knowledge of the password using a much simpler
mechanism called "encrypted timestamp", and that's sufficient for the
KDC to issue a ticket.

Currently, if you want to specifically require pkinit, you'll need to
randomize the principal's key so that there is no valid password.





More information about the Kerberos mailing list